Security

Cyber-crime

Europol knocks RagnarLocker offline in second major ransomware bust this year

Group will be remembered as staunch negotiator and a bullier of critical infrastructure orgs


Law enforcement agencies have taken over RagnarLocker ransomware group's leak site in an internationally coordinated takedown.

Among the agencies involved are Europol's European Cybercrime Centre (EC3), the US's Federal Bureau of Investigation (FBI), and Germany's Bundeskriminalamt (BKA), among many others.

The takedown follows a concerted effort from law enforcement in recent years to shutter ransomware groups as their success continues to exceed previous records.

In January this year, the FBI led the way in taking down the Hive group, handing out decryption keys to more than 300 victims. The Bureau calculated the potential savings in ransom fees to be around $130 million.

At the time, FBI director Christopher Wray said only about 40 percent of Hive's victims contacted the FBI about the incident. 

A known tactic of RagnarLocker is to dissuade victims from contacting domestic law enforcement, a fact that makes the latest bust extra special, according to Jake Moore, global cybersecurity advisor at ESET.

"Any takedown by Europol is both significant and impressive but this seems to have extra kudos due to its Russian origin and it reflects the power of trying to suppress law enforcement help," he told The Register.

"In the past, RagnarLocker has warned their victims not to contact the police or FBI concerning their ransoms demands or face the threat of having their data published. Therefore, this takedown will come as an extra blow to the ransomware group who clearly have a bone of contention with the authorities."

Asked about the takedown, Europol declined to comment any further, other than that it's "part of an ongoing action against this ransomware group." More details are expected to be released via official channels tomorrow.

What is RagnarLocker?

Emerging in late 2019 or early 2020, depending on which security company's reports you read, the location of RagnarLocker has never been conclusively proven. 

Many different European and Asian countries have been linked to the gang that uses its own eponymous ransomware payload, though Russia and Ukraine are among those most often floated.

The FBI was prompted to release an advisory in March 2022 alerting organizations to its typical mission objectives – targeting critical infrastructure.

It said at the time that 52 critical infrastructure organizations had been successfully targeted by the group. This included victims in the manufacturing and energy sectors, as well as finance, government, and IT. 

It came just a year after one of the largest attacks on critical infrastructure in US history swept headlines, at a time where attacks on critical infrastructure were still certainly high up on the list of the US' concerns.

DarkSide's attack on Colonial Pipeline caused major disruption to the East Coast of the US, and prompted the Biden administration to issue Executive Order 14028: Improving the Nation's Cybersecurity in response.

RagnarLocker are also well-known for adopting a double extortion model and was notoriously staunch on its approach to negotiations.

Most modern ransomware groups are open to negotiating fees, as long as the negotiations don't hurt their feelings. RagnarLocker was known for its take-it-or-leave-it stance on issuing ransom demands. 

The gang was previously considered one of the most dangerous in operation, though it hasn't been as active in 2023.

It was omitted from Microsoft's latest Digital Defense Report, which ranked the top ransomware groups in operation currently.

The only major attack claimed by RagnarLocker in the past year was on an Isareli hospital – an incident that saw it leak 400GB of data of an alleged total 1TB stolen, part of its telltale double extortion tactic. Well… former tactic, now.  ®

Send us news
Post a comment

Cyber crooks shut down UK, US schools, thousands of kids affected

No class: Black Suit ransomware gang boasts of 200GB haul from one raid

So you paid a ransom demand … and now the decryptor doesn't work

A really big oh sh*t moment, for sure

Cicada ransomware may be a BlackCat/ALPHV rebrand and upgrade

Researchers find many similarities, and nasty new customizations such as embedded compromised user credentials

Major sales and ops overhaul leads to much more activity ... for Meow ransomware gang

You hate to see it

Crypto scams rake in $5.6B a year for cyberscum lowlifes, FBI says

Elderly people report the greatest losses

Rhysida ransomware gang ships off Port of Seattle data for $6M

Auction acts as payback after authority publicly refuses to pay up

Healthcare giant to pay $65M settlement after crooks stole and leaked nude patient pics

Would paying a ransom – or better security – have been cheaper and safer?

Hunters International cyber-gang extorts Chinese mega-bank's London HQ

Allegedly swiped more than 5.2M files and threatens to publish the lot

Predator spyware updated with dangerous new features, also now harder to track

Plus: Trump family X accounts hijacked to promote crypto scam; Fog ransomware spreads; Hijacked PyPI packages; and more

The fingerpointing starts as cyber incident at London transport body continues

Network admins take a ride on the Fright Bus

RansomHub hits 210 victims in just 6 months

The ransomware gang recruits high-profile affiliates from LockBit and ALPHV

Brain Cipher claims attack on Olympic venue, promises 300 GB data leak

French police reckon financial system targeted during Summer Games